Facebook's Growing Privacy Concern

With GDPR imminent (25 May), Facebook's problems in Europe are mounting. In April, CEO Mark Zuckerberg was questioned by Congress on the Cambridge Analytica affair. He declined to face British lawmakers, sending CTO Mike Schroepfer in his place. Now Damian Collins, head of the UK parliament’s Digital, Culture, Media and Sport Committee, has said, "We hope that [Zuckerberg] will respond positively to our request, but if not the Committee will resolve to issue a formal summons for him to appear when he is next in the UK."

It's not just the Cambridge Analytica scandal. Austrian privacy activist Max Schrems has been pursuing Facebook for years. An earlier case against Facebook led to a European Court of Justice ruling on October 6, 2015 declaring the Safe Harbor agreement between the EU and U.S. to be unconstitutional and invalid. This is often described as the Schrems Ruling, and is now part of EU case law.

Safe Harbor was replaced by Privacy Shield; and Max Schrems has pursued a largely similar course of action -- claiming that his rights as an EU citizen are violated by Facebook transferring his PII to the U.S. where they are easily available to third parties. Once again the case was heard in Ireland (EU home to Facebook); and once again, it has been referred to the Court of Justice of the EU for a decision.

The Schrems Ruling will undoubtedly figure in the court's deliberations; as will the new U.S. CLOUD Act that makes it easier for U.S. government agencies to access any data held by U.S. companies anywhere in the world.

At the end of April 2018, Facebook attempted to prevent the Irish court's latest referral by appeal -- but this was rejected by the Irish High Court on Wednesday, May 02. Facebook had argued that its rights would be prejudiced if a stay was not granted; but the judge declared there would be very real prejudice to the rights of millions of users if the referral was delayed.

There is now the possibility (many privacy activists believe probability) that the European Court of Justice will reject Privacy Shield in the same way and for the same basic reasons that it rejected Safe Harbor. The danger here, if this were to happen, is European regulators might not offer the big tech companies the same period of grace they did after the collapse of Safe Harbor. Facebook may be the catalyst, but the effect could impact a large number of U.S. companies trading with or in Europe.

GDPR is a further privacy complication. In April, Facebook's Erin Egan, VP and chief privacy officer, policy, and Ashlie Beringer, VP and deputy general counsel published, "Complying With New Privacy Laws and Offering New Privacy Protections to Everyone". Everyone, they wrote, "will be asked to review important information about how Facebook uses data and make choices about their privacy on Facebook. We’ll begin by rolling these choices out in Europe this week."

European privacy activists are not impressed. Cliqz (a German firm linked to Ghostery) published on Friday an open letter to Mark Zuckerberg commenting on his appearance before Congress last month, and stating, "you just plainly lied to the world public."

Cliqz's specific concern is over Zuckerberg's claimed lack of knowledge over 'shadow profiles'. Zuckerberg claimed he did not know about shadow profiles. Cliqz explains, "Shadow profiles are the data that Facebook uses to track and collect those Internet users who have never been on Facebook or deliberately left the network."

A December 2017 study by Cliqz and Ghostery found that Facebook monitors nearly one-third of global internet traffic regardless of whether the user is a member of Facebook or not. "The evaluation of 'only' one-third of all the websites we visit is completely sufficient to know more about us than our closest relatives: whether we are in debt, suffering from a serious illness, cheating our partner, looking for a new job, which political attitudes and sexual preferences we have -- our Internet history reveals it."

It is these shadow profiles that Cliqz believes may bring Facebook into non-compliance with GDPR. "The collection of data about non-users in a way that leads to shadow profiles is Facebook’s weak spot when it comes to GDPR compliance," explains Jean-Paul Schmetz, Cliqz's CEO.

Schmetz believes the firm is making a decent effort to comply with GDPR for its users. But, "What about non-users?" he asks. "Non-members or those who deleted their account are still being tracked and can’t do anything to prevent Facebook from building shadow profiles about them. They still won't have any means to opt-out or have their data deleted or get insights into the data Facebook has about them. We think that if Facebook continues to neglect the problem of shadow profiles, the company risks high penalties from the EU for GDPR violation."

For fair comparison, Facebook's traffic monitoring is second only to Google -- which the same Cliqz/Ghostery study found to monitor 60.3% of internet traffic. For the moment, however, it is Facebook that is coming under closer European scrutiny.

A Thomson Reuters/Ipsos survey (PDF) published this weekend found that the Cambridge Analytica affair has not deterred Facebook users in the U.S.

The poll, conducted April 26-30, found that about half of Facebook’s American users said they had not recently changed the amount that they used the site, and another quarter said they were using it more. Only a quarter of American Facebook users said they are using it less frequently or have deleted their account.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.